![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(48, 63%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMR%3C/text%3E%3C/svg%3E)
25,215 questions
Based on the current capabilities and documentation, it appears there isn't direct support for changing Azure AD PIM role settings, such as allowing permanent eligible assignments, using Bicep or ARM templates. For the latest updates and more detailed information, the official Microsoft documentation.
- Bicep/ARM Templates: Direct support for modifying PIM role settings isn't available.
- PowerShell: Recommended for programmatically updating PIM role settings.
- Azure Portal: Use for manual configuration if other methods are not suitable.
Here are some key points and alternatives for managing Azure PIM tasks:
PowerShell
For automating Azure PIM tasks, PowerShell scripts are a viable option. Below is an example script to change the role settings to allow permanent eligible assignments:
- Install the required modules (if not already installed):
powershellCopy code Install-Module AzureAD -Force
Install-Module AzureAD.Standard.Preview -Force
1. **Note**: Verify that these are the correct modules needed for the tasks you’re describing.
1. **Connect to your Azure AD**:
```yaml
powershellCopy code
Connect-AzureAD
- Retrieve and update the role setting:
powershellCopy code $roleSetting = Get-AzureADMSPrivilegedRoleSetting -ProviderId aadRoles
$roleSetting.EligibilityPeriod = 0 # Setting to 0 aims to make it permanent Set-AzureADMSPrivilegedRoleSetting -Id $roleSetting.Id -EligibilityPeriod $roleSetting.EligibilityPeriod
**Note**: nsure to test this script in a safe environment before applying it to production to verify that setting the `EligibilityPeriod` to 0 indeed makes the assignment permanent. This could vary based on updates to Azure AD PIM’s functionality. It's crucial to check the official Microsoft documentation for any updates or changes in functionality.
If modifying the role settings via templates or scripts is not feasible, you can configure this setting through the Azure Portal:
1. Navigate to **Azure AD Privileged Identity Management**.
1. Select **Azure AD roles**.
1. Click on **Role settings**.
1. Choose the role you want to configure and click on **Settings**.
1. In the **Assignment type** section, set the eligibility to be **permanent**.
For more detailed guidance:
- [Automating Azure PIM tasks using PowerShell](https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-api)
- [Configuring Azure resource role settings in PIM](https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-resource-roles-settings)
- [Assigning roles using ARM API](https://docs.microsoft.com/en-us/rest/api/authorization/role-assignments/create)
*Just a reminder to always ensure that any PowerShell commands or scripts are tested in a non-production environment first to confirm their behavior, as Azure services are regularly updated and functionalities may change.*